Credit Card_GettyImages_186461680The Consumer Financial Protection Bureau (CFPB) announced on March 2, 2016, that it had entered into a consent order with online payment platform Dwolla to resolve the CFPB’s claims regarding statements made by Dwolla about the privacy and security of customer data. Under the consent order, Dwolla agreed to pay a $100,000 fine and implement, to the extent not already in place, reasonable and appropriate security measures to protect customers’ personal information. The consent order is notable because it is the first privacy- and security-related action by CFPB and because the basis for bringing the claim was the CFPB’s UDAAP authority to declare practices “unfair, deceptive, or abusive” under 12 U.S.C. § 5531(a) even though there was no finding of any actual consumer harm. This approach closely tracks enforcement actions brought by the Federal Trade Commission under Section 5 of the FTC Act.

The CFPB took issue with Dwolla’s claims that its payment platform was safe and that its customers’ personal information was secure. When individuals register for an account to use Dwolla’s online payment services, they are required to provide personal information, including their name, address, date of birth, phone number, and Social Security number. Customers can also link a bank account to fund payment transfer requests. The CFPB alleged that Dwolla failed to employ reasonable and appropriate measures to protect this customer data. In addition to general statements about the network and transactions being “safe” and “secure,” specific representations that the CFPB claimed to be false included:

  • Dwolla transactions are “safer [than credit cards] and less of a liability for both consumers and merchants.”
  • Dwolla’s data security practices “exceed industry standards” or “surpass industry security standards.”
  • Dwolla “sets a new precedent for the industry for safety and security.”
  • With regard to encryption, “all information is securely encrypted and stored,” and Dwolla “encrypt[s] data in transit and at rest.”
  • Dwolla is “PCI compliant.”

The CFPB also found, according to the consent order, that Dwolla (1) was late to adopt data security policies and procedures – having failed to implement policies and procedures for two years after launching its services; (2) failed to conduct regular risk assessments; (3) failed to implement reasonable data security employee training; (4) encouraged consumers to submit Social Security numbers and scans of drivers’ licenses and passports by email to expedite the registration process; and (5) failed to test the security of its apps prior to releasing them publicly. The consent order gave, as an example, a December 2012 email phishing test where more than half the tested Dwolla employees clicked the link in the phishing email and 25 percent then provided their user names and passwords.

In addition to paying the fine, Dwolla agreed to implement and maintain a comprehensive data security plan, adopt and implement reasonable and appropriate data security policies and procedures, designate a qualified person to be responsible for the data security program, perform data security risk assessments twice a year, conduct annual audits, conduct regular employee training, and develop a process for selecting and overseeing vendors. The consent order also included obligations related to involvement and oversight by Dwolla’s board of directors.

Dwolla published an article on its blog describing the “meaningful protections we’ve implemented up, down, and across the company” and including this apology:

“Dwolla was incorporating new ideas because we wanted to build a safer product, but at the time we may not have chosen the best language and comparisons to describe some of our capabilities. It has never been the company’s intent to mislead anyone on critical issues like data security. For any confusion we may have caused, we sincerely apologize.”